Apigee HealthAPIx proxies in evaluation org

sushobhanmonda1 · 05-29-2020 07:54 PM

I'm able to import HealthAPIx proxies in edge by following instructions here https://github.com/apigee/flame. However when I try to call a sample API I keep getting a 401 invalid_access_token error.

{
    "resourceType": "OperationOutcome",
    "text": {
        "status": "generated",
        "div": "<div><h1>Operation Outcome</h1><table border='0'><tr><td style='font-weight: bold;'>error</td><td>[]</td><td><pre>Unauthorized</pre></td>\\\n\\\t\\\t\\\t</tr>\\\n\\\t\\\t</table>\\\n\\\t</div>"
    },
    "issue": [
        {
            "severity": "error",
            "code": "unknown",
            "details": "invalid_access_token"
        }
    ]
}

I created the bearer token using management API and the token works for other APIs (e.g get a proxy details in my org). Any idea what I might be doing wrong? I'm using an evaluation org. Sample API call I'm making is below:

https://<my-eval-org-url>.apigee.net/fhir/v1/Patient/13066?_format=json

dchiesa1

I created the bearer token using management API and the token works for other APIs (e.g get a proxy details in my org). Any idea what I might be doing wrong? I'm using an evaluation org. Sample API call I'm making is below:

I think there is a disconnect. There are two "API Endpoints" involved here.

The Apigee Admin API is exposed as a REST interface, available at api.enterprise.apigee.com/v1/. Through this you can create, modify, deploy or undeploy API Proxies; create modify update or delete things like API Products, developers, and developer apps, and many other things. The reference for this API is here. For authorization to this API, there are two options: Basic Auth and OAuthV2. If you have obtained an oauthv2 token "using the management api" , then you are using OAuthV2. The token you obtain is good for Management API requests.
Your FHIR endpoint, available at EVAL-ORG-ENV.apigee.net/fhir . This my also use OAuthV2, but the realm for these tokens is different than the realm for tokens that are good for the Apigee Management API. If you pass a token that is good for the management API to the /fhir API, and the API proxy listening at /fhir calls VerifyAccessToken, that check will fail, and you will see an "invalid_access_token" error as you have reported.

How to solve this?

Use the /token endpoint on your EVAL-ORG-ENV.apigee.net Apigee instance to get a token that is good for the /fhir endpoints, and pass THAT token to your fhir endpoint.

sushobhanmonda1

@Dino-at-Google - thanks a lot for reverting. I was able to generate a token (the /token api did not work but I was able to use this). However I now get a 500 Internal server error. I'm trying to call this api. Is there any way I can see a list of valid pid s for these apis?
Sample GET call https://<my-eval-org>.apigee.net/fhir/v1/Patient/13066?_format=json

        {
			"resourceType": "OperationOutcome",
			"text": {
				"status": "generated",
				  "div": "<div><h1>Operation Outcome</h1><table border="0"><tr><td style="font-weight: bold;">error</td><td>[]</td><td><pre>Gateway Timeout</pre>
                        </td>\n\t\t\t</tr>\n\t\t</table>\n\t</div>"
			},
			"issue": [
				{
					"severity": "error",
         		  	"code":"unknown",
					"details": "Gateway Timeout"
				}
			]
		}

dchiesa1

ok you've gotten past one obstacle. The /accesstoken endpoint you used is the right one.

500 and Gateway Timeout is consistent with... an error connecting to the backend system.

I am not very familiar with the flame repo you are using, but checking the readme, it tries to connect to "http://fhirtest.uhn.ca/" .

Just trying that URL now, it is not responding.

So I think that the Apigee proxy is experiencing the same. To confirm this you can use Apigee trace. Click into one of the proxies that you'll invoke. Click the trace tab. Start a trace session. Invoke the API. In the Trace window, You should see the request .. and it will show that the target is timing out. (screencast example showing Apigee trace here).

If you have an alternative FHIR Test endpoint, you can replace that url I cited above with the appropriate URL for your service. A quick google returns this page listing publicly-available FHIR endpoints.

I think we (you) should raise a bug on the /flame repo asking for an update to the default FHIR target endpoint, since that the uhn.ca endpoint is not available.

sushobhanmonda1

Once again - thanks for your time and efforts @Dino-at-Google. I should have included the trace xml for you to view. Opened an issue in github as advised. Thanks.

sushobhanmonda1

Hey @Dino-at-Google - do you mind pointing me to where you see the target URL connecting to http://fhirtest.uhn.ca/? I'd try to point to a different FHIR server and retry. I was able to create and get a patient API in HAPI server, so basically would try to replace the uhn server with this

dchiesa1

I saw that in the README of the flame repo.

sushobhanmonda1

Tagging @Paul Williams, since you talked about this some days back. Paul do you have any idea where I might be able to change the target FHIR server in the HalthAPIx proxies from fhirtest.uhn.ca to hapi.fhir.org?